Signed Kernel Modules

Now you can make the kernel check modules for a cryptographic signature before inserting them. Here's the detail of how it's done.

What Is Left to Do?

As shown in this article, a number of different steps are required
to generate a key, sign a kernel module and place the public
key into the kernel image. This still is a rough
development project. In order to make it more acceptable to the
kernel developers and to the Linux community in general, these steps
need to be automated, making it easier to sign all
kernel modules and handle the public key.

Besides the obvious need to simplify the use of this feature,
some other future goals of this project include:

Move the RSA code into the generic crypto framework, allowing
other kernel features to use it.

Allow more than one public key to be present in the kernel,
letting multiple sources of signed kernel modules run
in a single machine.

Simplify the signing logic to allow GPG's native signing
functionality or possibly the functionality provided in the
bsign program to be used, instead of the
custom mod program.

Acknowledgements

I would like to thank the developers at Ericsson, who have
created a kernel patch and program called
digsig, for allowing me to use their port of
GPG to the kernel. I previously had done this, but the
implementation was horrible; thankfully, they released their
port and were very helpful. The digsig
kernel patch allows users to sign programs and prevents the
kernel from running any program not signed. More
information about this project can be found at sourceforge.net/projects/disec.

I also would like to thank my employer, IBM, for allowing me to
work on this project, and Don Marti, for prodding me to
finish it and write this article.

Greg Kroah-Hartman currently is the Linux kernel maintainer for a
variety of different driver subsystems. He works for IBM, doing Linux
kernel-related things, and can be reached at greg@kroah.com.

Geek Guides

Pick up any e-commerce web or mobile app today, and you’ll be holding a mashup of interconnected applications and services from a variety of different providers. For instance, when you connect to Amazon’s e-commerce app, cookies, tags and pixels that are monitored by solutions like Exact Target, BazaarVoice, Bing, Shopzilla, Liveramp and Google Tag Manager track every action you take. You’re presented with special offers and coupons based on your viewing and buying patterns. If you find something you want for your birthday, a third party manages your wish list, which you can share through multiple social- media outlets or email to a friend. When you select something to buy, you find yourself presented with similar items as kind suggestions. And when you finally check out, you’re offered the ability to pay with promo codes, gifts cards, PayPal or a variety of credit cards.